2
# Create logic app workflow
       resource "azurerm_logic_app_workflow" "workflw" {
          name                = "devtest-workflw"
          location            = azurerm_resource_group.logic.location
          resource_group_name = azurerm_resource_group.logic.name
        }

# Create a storage account
    module "storage_account" {
      source                                = "../.."
      version                               = "2.0.0"
      resource_group_name                   = azurerm_resource_group.logic.name
      resource_group_location               = var.region
      environment                           = "dev"
      product                               = "demo"
      virtual_network_subnet_ids            = [module.subnet_services.subnet_id]
      account_tier                          = "Standard"
      account_kind                          = "StorageV2"
      account_replication_type              = "ZRS"
      file_private_dns_zone_name            = "privatelink.file.core.windows.net"
      private_dns_zone_resource_group_name  = "hub-privatedns-rg"
      storage_account_file_private_dns_zone_id = var.storage_account_file_private_dns_zone_id
      
      use_file_private_endpoint             = true
      private_endpoint_subnet_id            = module.subnet_services.subnet_id
    
      tags                                  = local.tags
      ip_rules                              = ["0.0.0.0 ", "0.0.0.0 "]
    }

resource "azurerm_storage_share" "share" {
      name                 = "devtest-share"
      storage_account_name = module.storage_account.name
      quota                = 50
    }
    
    resource "azurerm_logic_app_standard" "standard" {
      name                       = "dev-logicstand"
      location                   = azurerm_resource_group.logic.location
      resource_group_name        = azurerm_resource_group.logic.name
      app_service_plan_id        = azurerm_service_plan.aseasp.id
      storage_account_name       = module.storage_account.name
      storage_account_access_key = module.storage_account.primary_access_key
     }

     resource "azurerm_app_service_virtual_network_swift_connection" 
      "swift_connect" {
       app_service_id = azurerm_linux_web_app.as.id
       subnet_id      = module.subnet_services.subnet_id
     }

Error: creating Logic App Standard: (Site Name "dev-logicstand" / Resource Group "dev-logicapp-rg"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible." Details=[{"Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"99022","Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.","MessageTemplate":"Creation of storage file share failed with: '{0}'. Please check if the storage account is accessible.","Parameters":["The remote server returned an error: (403) Forbidden."]}}]

on LogicApp.tf line 48, in resource "azurerm_logic_app_standard" "standard": 48: resource "azurerm_logic_app_standard" "standard" {

vinunun
  • 21
  • 3
  • Looking at your configuration, the storage use vnet integration and private link so you need to enable vnet integration as well for your logic app otherwise thy wont be able to talk to each others – Thomas Jul 29 '22 at 01:49
  • @Thomas But inorder to integrate the vnet, first the standard logic app needs to be deployed. This error occurs before the actual deployment of standard logic app. – vinunun Jul 29 '22 at 17:39

1 Answers1

0

• You are getting this error because from the configuration, it looks like you want to create a private endpoint to the storage account and access the file share in it through the logic app workspace to store or pull data from it securely via the private link configuration created in the private DNS zone. As a result, you will have to ensure that your storage account and the logic app deployed are in the same region for the private endpoint linked to the storage account to be effectively deployed through the terraform IaaC.

• Thus, first the storage account and the inherent file share hosted in it should be created and then only the private endpoint for the storage account should be provisioned to be created from the storage account for the file share. In the current terraform IaaC code, the private link creation is executed at the same time when the storage account is deployed, due to which the private link creation via the private endpoint is not possible. Hence, the error that you are facing regarding the accessibility of the file share is because it is in creation.

For more details, kindly refer to the below terraform documentation link: -

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • The storage account has already been created with private end points and dns zone and also created file share on top of it. Since we are using the module here, we have provided the pvtend and dns zone during the creation itself. I don't think that this is causing the issue. Also both the storage account and logic app are in the same region as well. – vinunun Aug 03 '22 at 19:55